A tale of disappearing items, late authenticators, and few concrete answers.

When I first heard that a number of Diablo III players were complaining loudly that their Battle.net accounts were being hacked, and their in-game items and gold stolen wholesale, I assumed that it was a relatively small problem being blown up in traditional Internet message board fashion. I generally accepted Blizzard's official statement that the "extremely small" number of complaints they had received were mainly the result of standard social engineering hacks like hidden keyloggers and phishing scams.

Then I logged in to my Diablo III account earlier today and found that I had become one of those careless victims, my character stripped bare and my gold balance drained.

It's not even like I was a prime target for an attack. My level 14 Demon Hunter wasn't exactly festooned with high-end weaponry and armor, thanks to a play schedule limited heavily by recent travel and E3 preparations. But still, I was somewhat proud of the magical crossbow and relatively hefty shield I had mustered up, as well as a decent set of armor mostly purchased from an upgraded blacksmith. Now, all those items were gone, except for, oddly enough, a Superior Belt with an armor rating of 34 that was still wrapped around my waist. I still had all my level 14 abilities and statistics, as well as my quest progress. But without my gear and gold, I felt like I was starting over from scratch.

After putting in a call to Blizzard support and being warned of a 40-minute estimated wait time, I took the prerecorded hold voice's advice and scanned my computer for viruses. After AVG Free and Malwarebytes both confirmed my system was clean, I changed my password just to be on the safe side. This required logging in using the mobile authenticator that I had signed up for last Friday, a precaution I took after first hearing about the hacking complaints, figuring it was better to be safe than sorry.

After spending an hour on hold, a chipper Blizzard account representative came on the line and asked for my first and last name and e-mail address. I explained the problem of the missing loot, and he assured me that he'd probably be able to help me.

He brought up my account and explained that the restoration process for Diablo III was slightly different from that for World of Warcraft. He couldn't simply give me back the items and gold I had lost, he said, but he could perform a full account rollback to one of a number of server snapshots that are taken every 24 hours or so. This would eliminate any game progress I had made since the snapshot was taken, which wasn't a practical issue for me because I hadn't actually played the game after I discovered all my stuff was missing.

The last such snapshot that Blizzard had on file for my account was from Wednesday, May 23rd, showing me with a full set of gear and just shy of 4,000 gold. I was relatively sure that I hadn't logged into the game that day, but after a week's time had passed, I can't really be sure. In any case, it leaves a small window between the last time I was confirmed to have my gear and the time I installed the mobile authenticator on Friday in which I could have been hacked. Guess I shouldn't have put off increasing my security for so long (I didn't actually check the status of my Diablo III gear on Friday, using the Web interface to sign up for and test the authenticator).

When I pressed the rep for any details on how this account compromise might have happened, he said there was no way to be sure, and gave me the same old song and dance about keyloggers and viruses being the primary culprits. When I asked if he could go in and track what had happened to my loot and when, he apologized and said the only records he had access to were ones that showed when my account had been accessed. This seems like a pretty limited virtual crime-scene investigation tool, considering this problem happened in a game in which every player is online and every action, authorized or not, is presumably logged on a server somewhere. Then again, it's possible the capability exists, but the information is provided on a strict need-to-know basis to protect my privacy.

What's more, he admitted that there was a current issue with Blizzard's systems that was stopping him from seeing certain logins from other locations in his records. "So it could be a case like that where the account was logged into from somewhere else and we just can't see it," he said. When I brought up my recently activated mobile authenticator, he said that the compromise must have happened just before I set it up, and that the two-step verification system was "not 100 percent secure, but one of the most secure methods of protecting your account."

From that point, actually getting my loot back was a relatively painless process. The phone rep directed me to a Blizzard tech support web page where I could submit a ticket with a special keyword that would bump me into a priority queue for account restoration. He warned me that all Battle.net accounts are limited to two such rollbacks over the lifetime of the game, and so warned me to be extra careful with my account details from here on out. Within a half-hour of hanging up, my account was restored and my character was again standing in full regalia, ready to take on the demonic hordes.

It wasn't until I had been through this entire process, and I was talking about potential security threats with an expert, that I realized that my password security might not have been as airtight as I thought. The password I've been using for my Battle.net account was the same one I used to use on services such as Twitter and PSN before they were potentially compromised through well-publicized hacking scandals. I've updated most of my crucial accounts with much more secure, unique passwords since then, but I'd forgotten to change my Battle.net password in that time (and simply forgot that the old password was in any way insecure).

This seems like the most likely security hole, in hindsight, and one that could have been easily closed had I been more vigilant, or quicker to sign up for Blizzard's two-step authentication service (a measure, it should be noted, that's more secure than those offered by most banks). Still, I'll probably never be completely sure how I briefly lost all my progress in Diablo III, and the whole affair has made me quite a bit more paranoid about my computer security. I can only hope that the experience serves as a cautionary tale for me and others going forward.

After this, if you get a phishing email to blah@gmail.com you know it didn't come from bnet.

Furthermore take this many steps farther and every site you have an account with, set your email to blah+randomsite@gmail.com so you can easily filter all sites by you rincoming email address.

*cough* I use this on many sites, but I haven't tried with bnet, bnet may not allow + signs in email addresses. I've ran into a rare site that doesnt. So if it doesn't work with bnet. sorry. I'm feeling lazy and dont feel like testing me theory atm.

For the paranoid: somebody could infer your password from the page you stopped browsing at. Even though my password was not there, someone looking at my logs could deduce which character my password starts with (even small leaks, like disclosing whether your password starts with a number or a letter might be useful).

I mean all you need to do is get something more secure than a PW. The authenticator app is free and basically ensures it won't be your fault when shit happens. Or spend $7 or so for the keychain. People complain about the price, but the games was $60+ and all the time they spend in it? Unless they don't value their time, there's no excuse.

Blaming the bad guys first is a given

I just don't like the adversarial mindset that blaming establishes. If someone gets hacked (and hadn't done anything stupid like buying gold or visiting grey-area sites), it's simply not their fault. Yes they could've got an authenticator, but people's desire to get an authenticator is based on their perception of risk. I think Blizzard should be more aggressive about just coming out and saying "Shitbags are stealing people's account info all over the place. We're not sure how, we're looking into it, but they're cunning, evil, and persistent. Stay safe."... in the game, not the forums.

I also think they should stomp harder on people peddling the "Blizzard's just selling authenticators because they want your cash" nonsense. It's counter-productive drivel.

thomasfortherage wrote:

Okay, aside from that, all I thought was that surely If you are MagicMaster69er and you have 4000 Gold, and then 4000 Gold is hacked and sent to Uberh4x0rBigdickman, isn't that pretty easy to just ban fuckstick haxor? Forgive my ignorance.

Yes, and they may well be doing so as fast as they can. Blizzard tends to just release the occasional "we banished 50,000 dirtbags to oblivion in the last quarter" type posts. I wish they'd actually just maintain a public, realtime hit-list so we could watch the banhammer at work, but I doubt they'd do it

Sounds like Blizzard's customer service is pretty bad. If they aren't going to provide any information than how can they expect anyone to know what caused them to lose their stuff in the first place. Their generic responses, while possibly true or accurate, are also useless because people tend to ignore them once they hear them enough times without any reason to back it up. While it may not have been the reps fault, maybe he really does have limited access, that's the worst kind of customer service. Put someone in a position to make it seem like they're able to help you and then give them nothing to actually help the customer, only a bunch of canned lines and half-assed tools.

I don't even play any of their games but I figured as popular as their games are, they should have plenty of experience in dealing with the issues and thus actually be good at it, but apparently not.

People have weak passwords, it's a given. Account systems get hacked. If you use the same passwords on multiple accounts, then your two-factor (email address + password) credentials are now a single known value and can be used on 'popular' sites.

You've hinted at the real weakness: the use of an e-mail address as part of the authentication.

It's fairly easy to set up 'dummy' e-mail addresses. But it's a bit of a nuisance. So virtually everyone either uses their regular e-mail address or a single 'spam destination' e-mail address for all of their various non-personal sign-ups.

Unfortunately, this creates an identity with a nice example of what kind of passwords you use. So if someone compromises the security on any aspect of your life, they get it all. It's a bit how Social Security numbers work with your financials. Once someone has your SSN, they've got the keys to the kingdom. Everything else is easy.

The odd consequence is that the two-step username/password is less secure than simply having a password. If you didn't have to enter your e-mail address as part of the authentication, you couldn't be linked to all those other accounts. Instead, your password would just stand alone. Yes, if you used 'password' your account could be easily hacked. But if you routinely used passwords like "micedonteatcheese", your account would be fairly secure.

That's really disappointing on Blizzard's part. With Rift, Trion uses a "coinlock" feature that locks your account from trading, mailing, and selling anything when you log in from a different IP. Doesn't stop you from playing and questing (if you happen to be playing with no access to email) but at least no one can rape your account of loot. Sounds like something Blizzard should implement too.

Ironically they instituted that as response to a mass hacking outbreak that in the end turned out to be purely down to a security error on Trion's part.

Also if you don't feel like shelling out for password lockers, Get truecrypt. Create a small encrypted folder and put in a file that holds these passwords. Works like a charm.

KeePass is open source and free. Put the password file on Dropbox, Google Drive, etc, and it makes it really easy to use on all of your devices. For added security, use a key file too, that you don't keep on the cloud drive.

Its unfortunate that you had to wait on hold, and that the services for investigation were not more precise. That said, its nice to see that you didn't use this opportunity to attack the game again for its shortcomings.

It is also a shame you didn't point out that the system Activision/Blizzard uses is not in anyway sufficient for the job intended. This is a Sony level security failure. When moments away from real-money(tm) trades then completely accurate and verifiable logs are a must have not an "oh, what is that?".

Here is a question How are these accounts being hacked? The hacker has to know TWO things(I don't know if anyone with an authenticatior has been hacked yet).

They need these two things1) Email address of the account2) Password of the account

Even on the Blizzard forums itself you use an alias and I don't believe it shows your account email address to anyone. PS. Never use an email address for your account and show the same email address in your personal contact information

Secondly, these passwords would have to be amazingly simple. If Kyle Orland doesn't use the same password any more on any of his account I would like to know what password he had used.

So again, how are they being hacked? Does the game actually send the login information encrypted or in plain text?

After this, if you get a phishing email to blah@gmail.com you know it didn't come from bnet.

Furthermore take this many steps farther and every site you have an account with, set your email to blah+randomsite@gmail.com so you can easily filter all sites by you rincoming email address.

*cough* I use this on many sites, but I haven't tried with bnet, bnet may not allow + signs in email addresses. I've ran into a rare site that doesnt. So if it doesn't work with bnet. sorry. I'm feeling lazy and dont feel like testing me theory atm.

I mean all you need to do is get something more secure than a PW. The authenticator app is free and basically ensures it won't be your fault when shit happens. Or spend $7 or so for the keychain. People complain about the price, but the games was $60+ and all the time they spend in it? Unless they don't value their time, there's no excuse.

Blaming the bad guys first is a given

I just don't like the adversarial mindset that blaming establishes. If someone gets hacked (and hadn't done anything stupid like buying gold or visiting grey-area sites), it's simply not their fault. Yes they could've got an authenticator, but people's desire to get an authenticator is based on their perception of risk. I think Blizzard should be more aggressive about just coming out and saying "Shitbags are stealing people's account info all over the place. We're not sure how, we're looking into it, but they're cunning, evil, and persistent. Stay safe."... in the game, not the forums.

I also think they should stomp harder on people peddling the "Blizzard's just selling authenticators because they want your cash" nonsense. It's counter-productive drivel.

thomasfortherage wrote:

Okay, aside from that, all I thought was that surely If you are MagicMaster69er and you have 4000 Gold, and then 4000 Gold is hacked and sent to Uberh4x0rBigdickman, isn't that pretty easy to just ban fuckstick haxor? Forgive my ignorance.

Yes, and they may well be doing so as fast as they can. Blizzard tends to just release the occasional "we banished 50,000 dirtbags to oblivion in the last quarter" type posts. I wish they'd actually just maintain a public, realtime hit-list so we could watch the banhammer at work, but I doubt they'd do it

I understand. I don't mean to imply people are dumb or stupid if they get hacked. It's more just ignorance. Not in a demeaning way, just that they don't know about this stuff. Blizzard does try to tell push you into an authenticator (less support for them) though pretty hard though. Seems the ads are all over their site and they spam me about it too.

I don't mean to offend anyone. If you got "hacked", just get an authenticator and don't give it a second thought.

I removed the auth token from my account, because the damned thing was more of a pain than it was worth; every time I turned around I was having to call Blizzard because some non-system update had caused it to think my phone had changed too much, or was out of sync, or some other retardedness.

That's odd. I've been using an authenticator for a year now, first on android, now on an iPhone and have never had a problem with it.

When I pressed the rep for any details on how this account compromise might have happened, he said there was no way to be sure, and gave me the same old song and dance about keyloggers and viruses being the primary culprits. When I asked if he could go in and track what had happened to my loot and when, he apologized and said the only records he had access to were ones that showed when my account had been accessed. This seems like a pretty limited virtual crime-scene investigation tool, considering this problem happened in a game in which every player is online and every action, authorized or not, is presumably logged on a server somewhere. Then again, it's possible the capability exists, but the information is provided on a strict need-to-know basis to protect my privacy.

I reckon that they won't give out that info to just any tom dick and harry, because basically the information you are seeking is helpful, to, hackers, it can help them clean up their tracks, find other weaknesses, it just basically isn't good security practice to divulge what you know.

I removed the auth token from my account, because the damned thing was more of a pain than it was worth; every time I turned around I was having to call Blizzard because some non-system update had caused it to think my phone had changed too much, or was out of sync, or some other retardedness.

That's odd. I've been using an authenticator for a year now, first on android, now on an iPhone and have never had a problem with it.

Same. The only time I had to call Blizzard was when I got a new phone, started fresh and wiped my old phone. I didn't save the codes, so it was like a 2 day process to get the authenticator removed. Now the SMS feature appears to speed that up.

Or use the free authenticator app for major smartphones. There's really no one to blame when you "get hacked" but yourself nowadays. Taking reasonable precautions like not sharing info, not install malware and using 2-factor authentication (PWs are easy to guess, it's not longer an excuse to say your PW is complex) should come naturally for anything you don't want people to get into.

This isn't directed at the OP, just in general. It sucks to get "hacked" but you can stop it from happening.

Since when did people start to actively install malware?

Since, forever? Weren't there bad WoW mods and ads on Curse? If you got bit by those, it's your fault. That stuff doesn't install itself. Even if it did, an authenticator would have prevented it and it's far from an unreasonable action to get one by default.

I'm not trying to be a shit head, but in my family of 8, we've never used AV software or malware scans. I taught my over-60 parents to not install stupid shit and don't even click things that are suspicious. We do all of our banking online, everything is digital in our house. We've never had so much has an errant PW reset email, nevermind being "hacked".

I think it's just easier to blame the evil hacker instead of evaluating your own practices. WoW and now D3 are notorious for "hackers".

The problem with that is I have had to remove two rootkits from a co-workers computer. This guy will ask me questions if something seems odd with an email, website, or download. I have another co-worker that I ended up locking down with deep freeze. Not because of viruses, but because he installed just about any program he came across.

My point is that you can use all the protection that you want, but unless you unplug your computer from any type of network and connect any removable media devices to it you are not ever secure. Enough with this "its the users fault for downloading malware" attitude.

And this isn't "hackers". It is most likely social engineering or someone that found a password list on pastebin. Online banking is about as secure as email when it comes to ease of access. Just gather some information on your target, answer the handful of questions, and you're in. I called my bank once because I forgot the credentials to one of my accounts and was astonished by how simple it was to get what I needed.

Or use the free authenticator app for major smartphones. There's really no one to blame when you "get hacked" but yourself nowadays. Taking reasonable precautions like not sharing info, not install malware and using 2-factor authentication (PWs are easy to guess, it's not longer an excuse to say your PW is complex) should come naturally for anything you don't want people to get into.

This isn't directed at the OP, just in general. It sucks to get "hacked" but you can stop it from happening.

Since when did people start to actively install malware?

Since, forever? Weren't there bad WoW mods and ads on Curse? If you got bit by those, it's your fault. That stuff doesn't install itself. Even if it did, an authenticator would have prevented it and it's far from an unreasonable action to get one by default.

I'm not trying to be a shit head, but in my family of 8, we've never used AV software or malware scans. I taught my over-60 parents to not install stupid shit and don't even click things that are suspicious. We do all of our banking online, everything is digital in our house. We've never had so much has an errant PW reset email, nevermind being "hacked".

I think it's just easier to blame the evil hacker instead of evaluating your own practices. WoW and now D3 are notorious for "hackers".

The problem with that is I have had to remove two rootkits from a co-workers computer. This guy will ask me questions if something seems odd with an email, website, or download. I have another co-worker that I ended up locking down with deep freeze. Not because of viruses, but because he installed just about any program he came across.

My point is that you can use all the protection that you want, but unless you unplug your computer from any type of network and connect any removable media devices to it you are not ever secure. Enough with this "its the users fault for downloading malware" attitude.

And this isn't "hackers". It is most likely social engineering or someone that found a password list on pastebin. Online banking is about as secure as email when it comes to ease of access. Just gather some information on your target, answer the handful of questions, and you're in. I called my bank once because I forgot the credentials to one of my accounts and was astonished by how simple it was to get what I needed.

But how'd those co-workers get the rootkit? They installed it, unwillingly of course. The second user was clearly at fault. The first user wasn't necessarily, he at least asks questions, but he obviously didn't one time. Again though, it's their own fault. Not because they are dumb or stupid, but because they don't know any better. Ignorance isn't an excuse unfortunately.

I agree that you can't be 100%. That's really a given. My point is you can be secure enough to the point where if something does happen, you can safely say you did all you could (within reason). Tying back to my original point, there's really no reason to not take the massive (even though not 100%) security boost that is the authenticator. If you got hacked with one (and I'm pretty sure it hasn't happened yet) and least you can say "Fuck it, I tried."

I'm saying "hacked" because I think it's a poor choice too. And you need a new bank man!

Or use the free authenticator app for major smartphones. There's really no one to blame when you "get hacked" but yourself nowadays. Taking reasonable precautions like not sharing info, not install malware and using 2-factor authentication (PWs are easy to guess, it's not longer an excuse to say your PW is complex) should come naturally for anything you don't want people to get into.

This isn't directed at the OP, just in general. It sucks to get "hacked" but you can stop it from happening.

it's not a guarantee. the authenticator can just simply stop functioning or have errors making it difficul for you to even play your own game. Sometimes it simply doesn't sync even after synching multiple times. All a person can really do is make sure he has precautions in place and has done his due diligence. It, however, does not guarantee your safety.

If someone wants to get in, no lock will keep him out. I don't like the mentality that it is only the fault of the user. That is not always the case and just as dangerous a mindset as a user who thinks [company X] will do that protection for them.

Its unfortunate that you had to wait on hold, and that the services for investigation were not more precise. That said, its nice to see that you didn't use this opportunity to attack the game again for its shortcomings.

It is also a shame you didn't point out that the system Activision/Blizzard uses is not in anyway sufficient for the job intended. This is a Sony level security failure. When moments away from real-money(tm) trades then completely accurate and verifiable logs are a must have not an "oh, what is that?".

Its unfortunate that you had to wait on hold, and that the services for investigation were not more precise. That said, its nice to see that you didn't use this opportunity to attack the game again for its shortcomings.

It is also a shame you didn't point out that the system Activision/Blizzard uses is not in anyway sufficient for the job intended. This is a Sony level security failure. When moments away from real-money(tm) trades then completely accurate and verifiable logs are a must have not an "oh, what is that?".

Mind elaborating on what is so deficient about their system?

Not enough transactional logging?

Quote:

When I asked if he could go in and track what had happened to my loot and when, he apologized and said the only records he had access to were ones that showed when my account had been accessed.

Or use the free authenticator app for major smartphones. There's really no one to blame when you "get hacked" but yourself nowadays. Taking reasonable precautions like not sharing info, not install malware and using 2-factor authentication (PWs are easy to guess, it's not longer an excuse to say your PW is complex) should come naturally for anything you don't want people to get into.

This isn't directed at the OP, just in general. It sucks to get "hacked" but you can stop it from happening.

Since when did people start to actively install malware?

Since, forever? Weren't there bad WoW mods and ads on Curse? If you got bit by those, it's your fault. That stuff doesn't install itself. Even if it did, an authenticator would have prevented it and it's far from an unreasonable action to get one by default.

I'm not trying to be a shit head, but in my family of 8, we've never used AV software or malware scans. I taught my over-60 parents to not install stupid shit and don't even click things that are suspicious. We do all of our banking online, everything is digital in our house. We've never had so much has an errant PW reset email, nevermind being "hacked".

I think it's just easier to blame the evil hacker instead of evaluating your own practices. WoW and now D3 are notorious for "hackers".

The problem with that is I have had to remove two rootkits from a co-workers computer. This guy will ask me questions if something seems odd with an email, website, or download. I have another co-worker that I ended up locking down with deep freeze. Not because of viruses, but because he installed just about any program he came across.

My point is that you can use all the protection that you want, but unless you unplug your computer from any type of network and connect any removable media devices to it you are not ever secure. Enough with this "its the users fault for downloading malware" attitude.

And this isn't "hackers". It is most likely social engineering or someone that found a password list on pastebin. Online banking is about as secure as email when it comes to ease of access. Just gather some information on your target, answer the handful of questions, and you're in. I called my bank once because I forgot the credentials to one of my accounts and was astonished by how simple it was to get what I needed.

But how'd those co-workers get the rootkit? They installed it, unwillingly of course. The second user was clearly at fault. The first user wasn't necessarily, he at least asks questions, but he obviously didn't one time. Again though, it's their own fault. Not because they are dumb or stupid, but because they don't know any better. Ignorance isn't an excuse unfortunately.

I agree that you can't be 100%. That's really a given. My point is you can be secure enough to the point where if something does happen, you can safely say you did all you could (within reason). Typing back to my original point, there's really no reason to not take the massive (even though not 100%) security boost that is the authenticator. If you got hacked with one (nad I'm pretty sure it hasn't happened yet) and least you can say "Fuck it, I tried."

I'm saying "hacked" because I think it's a poor choice too. And you need a new bank man!

I think at this point we are arguing over semantics. There are people out there that are clearly at fault for malware infections, but there are others that do everything they can and still get hit with something from a site that should be clean (say a church website). The common thought used to be if you slept with dogs you would get flees, but now you can get flees while praying for forgiveness. That was the point I was trying to make.

It isn't just my bank. I had to deal with the same easy to figure out questions (Hell one of the answers was the name of my business!) when Paypal wanted me to re-authenticate my account. Real account security is nonexistent.

Its unfortunate that you had to wait on hold, and that the services for investigation were not more precise. That said, its nice to see that you didn't use this opportunity to attack the game again for its shortcomings.

It is also a shame you didn't point out that the system Activision/Blizzard uses is not in anyway sufficient for the job intended. This is a Sony level security failure. When moments away from real-money(tm) trades then completely accurate and verifiable logs are a must have not an "oh, what is that?".

Mind elaborating on what is so deficient about their system?

Not enough transactional logging?

Quote:

When I asked if he could go in and track what had happened to my loot and when, he apologized and said the only records he had access to were ones that showed when my account had been accessed.

He was obviously lying though. It's not like he's going to tell you anything, there's no point. Someone mentioned that above with a reasonable explanation that convinced me.

Its unfortunate that you had to wait on hold, and that the services for investigation were not more precise. That said, its nice to see that you didn't use this opportunity to attack the game again for its shortcomings.

It is also a shame you didn't point out that the system Activision/Blizzard uses is not in anyway sufficient for the job intended. This is a Sony level security failure. When moments away from real-money(tm) trades then completely accurate and verifiable logs are a must have not an "oh, what is that?".

Mind elaborating on what is so deficient about their system?

Not enough transactional logging?

Quote:

When I asked if he could go in and track what had happened to my loot and when, he apologized and said the only records he had access to were ones that showed when my account had been accessed.

He was obviously lying though. It's not like he's going to tell you anything, there's no point. Someone mentioned that above with a reasonable explanation that convinced me.

Sorry context clarification; who's lying? There's several people referred to in my post.

If you have a decent alpha-numeric password, try googling it every once and a while and see if it shows up on a hash cracking site.

.

Although I know you mean well, do not under any circumstance have anyone google their password. You are just asking for trouble if you do that. You are better off going to said hash cracking sites, downloading their lists and doing a text search of the document for your password.

Plugging a password into a search engine will end up adding the value to the engine, that is a huge risk to you no matter how small the odds of someone pairing it to your username(s). The value that you just searched for could end up on the hash cracking site just because you searched for it at one point.

Or use the free authenticator app for major smartphones. There's really no one to blame when you "get hacked" but yourself nowadays. Taking reasonable precautions like not sharing info, not install malware and using 2-factor authentication (PWs are easy to guess, it's not longer an excuse to say your PW is complex) should come naturally for anything you don't want people to get into.

This isn't directed at the OP, just in general. It sucks to get "hacked" but you can stop it from happening.

Since when did people start to actively install malware?

Since, forever? Weren't there bad WoW mods and ads on Curse? If you got bit by those, it's your fault. That stuff doesn't install itself. Even if it did, an authenticator would have prevented it and it's far from an unreasonable action to get one by default.

I'm not trying to be a shit head, but in my family of 8, we've never used AV software or malware scans. I taught my over-60 parents to not install stupid shit and don't even click things that are suspicious. We do all of our banking online, everything is digital in our house. We've never had so much has an errant PW reset email, nevermind being "hacked".

I think it's just easier to blame the evil hacker instead of evaluating your own practices. WoW and now D3 are notorious for "hackers".

The problem with that is I have had to remove two rootkits from a co-workers computer. This guy will ask me questions if something seems odd with an email, website, or download. I have another co-worker that I ended up locking down with deep freeze. Not because of viruses, but because he installed just about any program he came across.

My point is that you can use all the protection that you want, but unless you unplug your computer from any type of network and connect any removable media devices to it you are not ever secure. Enough with this "its the users fault for downloading malware" attitude.

And this isn't "hackers". It is most likely social engineering or someone that found a password list on pastebin. Online banking is about as secure as email when it comes to ease of access. Just gather some information on your target, answer the handful of questions, and you're in. I called my bank once because I forgot the credentials to one of my accounts and was astonished by how simple it was to get what I needed.

But how'd those co-workers get the rootkit? They installed it, unwillingly of course. The second user was clearly at fault. The first user wasn't necessarily, he at least asks questions, but he obviously didn't one time. Again though, it's their own fault. Not because they are dumb or stupid, but because they don't know any better. Ignorance isn't an excuse unfortunately.

I agree that you can't be 100%. That's really a given. My point is you can be secure enough to the point where if something does happen, you can safely say you did all you could (within reason). Typing back to my original point, there's really no reason to not take the massive (even though not 100%) security boost that is the authenticator. If you got hacked with one (nad I'm pretty sure it hasn't happened yet) and least you can say "Fuck it, I tried."

I'm saying "hacked" because I think it's a poor choice too. And you need a new bank man!

I think at this point we are arguing over semantics. There are people out there that are clearly at fault for malware infections, but there are others that do everything they can and still get hit with something from a site that should be clean (say a church website). The common thought used to be if you slept with dogs you would get flees, but now you can get flees while praying for forgiveness. That was the point I was trying to make.

It isn't just my bank. I had to deal with the same easy to figure out questions (Hell one of the answers was the name of my business!) when Paypal wanted me to re-authenticate my account. Real account security is nonexistent.

That's a good example and it helps further my point. There's a way to ensure that your chances of getting flees is closer to that you have while praying than that you have while sleeping with dogs. It's called the authenticator. If you pray, you know about it, it's free, and it's effective.

Using the authenticator basically gives you the best chance. If you aren't giving yourself the best chance and doing what you can to help, there's only one person at fault when things go south.

Its unfortunate that you had to wait on hold, and that the services for investigation were not more precise. That said, its nice to see that you didn't use this opportunity to attack the game again for its shortcomings.

It is also a shame you didn't point out that the system Activision/Blizzard uses is not in anyway sufficient for the job intended. This is a Sony level security failure. When moments away from real-money(tm) trades then completely accurate and verifiable logs are a must have not an "oh, what is that?".

Mind elaborating on what is so deficient about their system?

Not enough transactional logging?

Quote:

When I asked if he could go in and track what had happened to my loot and when, he apologized and said the only records he had access to were ones that showed when my account had been accessed.

He was obviously lying though. It's not like he's going to tell you anything, there's no point. Someone mentioned that above with a reasonable explanation that convinced me.

Sorry context clarification; who's lying? There's several people referred to in my post.

No problem. I'm thinking the support guy. He either doesn't know, or is lying. I just think of it from the business stand point of "why would this guy tell the customer?". It wouldn't really help anyone and would probably just lead to more questions, longer calls...

That's not really the problem at all. There are plenty of complex password that don't involves cases.

The problem is that people just aren't taking all the reasonable measures. Ignorance is not an excuse. If you play D3, you know about hacking and you know about authentication. Those are, at least for the time being, mutually exclusive.

The real problem here is that Battle.net passwords are not secure by design, they are not case sensitive. Go ahead and give it a try. This needs to change Blizzard!

Passwords not being case sensitive is disturbing no doubt but it probably isn't as big a security hole as people are making it out to be. Simple fact is compromised accounts very rarely come from brute forcing passwords, social engineering attacks and compromised systems tend to lead to compromised accounts in the vast majority of cases.

*snip*He was obviously lying though. It's not like he's going to tell you anything, there's no point. Someone mentioned that above with a reasonable explanation that convinced me.

Sorry context clarification; who's lying? There's several people referred to in my post.[/quote]No problem. I'm thinking the support guy. He either doesn't know, or is lying. I just think of it from the business stand point of "why would this guy tell the customer?". It wouldn't really help anyone and would probably just lead to more questions, longer calls...[/quote]

Personally, I don't think he is lying. That kind of low level transactional record would be outside view of support; who usually won't understand those kind of logs in the first place.

What needs to happen though is that the support NEEDS to be able to access those information and understand them; especially if real money starts to get involved. That may be the reason for RMAH release delays.

Since, forever? Weren't there bad WoW mods and ads on Curse? If you got bit by those, it's your fault. That stuff doesn't install itself. Even if it did, an authenticator would have prevented it and it's far from an unreasonable action to get one by default.

I'm not trying to be a shit head, but in my family of 8, we've never used AV software or malware scans. I taught my over-60 parents to not install stupid shit and don't even click things that are suspicious. We do all of our banking online, everything is digital in our house. We've never had so much has an errant PW reset email, nevermind being "hacked".

I think it's just easier to blame the evil hacker instead of evaluating your own practices. WoW and now D3 are notorious for "hackers".

The problem with that is I have had to remove two rootkits from a co-workers computer. This guy will ask me questions if something seems odd with an email, website, or download. I have another co-worker that I ended up locking down with deep freeze. Not because of viruses, but because he installed just about any program he came across.

My point is that you can use all the protection that you want, but unless you unplug your computer from any type of network and connect any removable media devices to it you are not ever secure. Enough with this "its the users fault for downloading malware" attitude.

And this isn't "hackers". It is most likely social engineering or someone that found a password list on pastebin. Online banking is about as secure as email when it comes to ease of access. Just gather some information on your target, answer the handful of questions, and you're in. I called my bank once because I forgot the credentials to one of my accounts and was astonished by how simple it was to get what I needed.

But how'd those co-workers get the rootkit? They installed it, unwillingly of course. The second user was clearly at fault. The first user wasn't necessarily, he at least asks questions, but he obviously didn't one time. Again though, it's their own fault. Not because they are dumb or stupid, but because they don't know any better. Ignorance isn't an excuse unfortunately.

I agree that you can't be 100%. That's really a given. My point is you can be secure enough to the point where if something does happen, you can safely say you did all you could (within reason). Typing back to my original point, there's really no reason to not take the massive (even though not 100%) security boost that is the authenticator. If you got hacked with one (nad I'm pretty sure it hasn't happened yet) and least you can say "Fuck it, I tried."

I'm saying "hacked" because I think it's a poor choice too. And you need a new bank man!

I think at this point we are arguing over semantics. There are people out there that are clearly at fault for malware infections, but there are others that do everything they can and still get hit with something from a site that should be clean (say a church website). The common thought used to be if you slept with dogs you would get flees, but now you can get flees while praying for forgiveness. That was the point I was trying to make.

It isn't just my bank. I had to deal with the same easy to figure out questions (Hell one of the answers was the name of my business!) when Paypal wanted me to re-authenticate my account. Real account security is nonexistent.

That's a good example and it helps further my point. There's a way to ensure that your chances of getting flees is closer to that you have while praying than that you have while sleeping with dogs. It's called the authenticator. If you pray, you know about it, it's free, and it's effective.

Using the authenticator basically gives you the best chance. If you aren't giving yourself the best chance and doing what you can to help, there's only one person at fault when things go south.

Definitely. I'm only referring to Blizzard games with this. While I think it's definitely possible to get infected overall (we see exploits reports all day long on site like Ars), I think common sense goes really far here too (hence my family anecdote).

I'm just the IT guy for an SMB of about 225 people, nothing very specific, I have to do it all.

Definitely. I'm only referring to Blizzard games with this. While I think it's definitely possible to get infected overall (we see exploits reports all day long on site like Ars), I think common sense goes really far here too (hence my family anecdote).

I'm just the IT guy for an SMB of about 225 people, nothing very specific, I have to do it all.

Kyle Orland / Kyle is the Senior Gaming Editor at Ars Technica, specializing in video game hardware and software. He has journalism and computer science degrees from University of Maryland. He is based in Pittsburgh, PA.